lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 5 May 2019 00:19:42 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     "Joel Fernandes (Google)" <joel@...lfernandes.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Michal Gregorczyk <michalgr@...e.com>,
        Adrian Ratiu <adrian.ratiu@...labora.com>,
        Mohammad Husain <russoue@...il.com>,
        Qais Yousef <qais.yousef@....com>,
        Srinivas Ramana <sramana@...eaurora.org>,
        duyuchao <yuchao.du@...soc.com>,
        Manjo Raja Rao <linux@...ojrajarao.com>,
        Karim Yaghmour <karim.yaghmour@...rsys.com>,
        Tamir Carmeli <carmeli.tamir@...il.com>,
        Yonghong Song <yhs@...com>,
        Alexei Starovoitov <ast@...nel.org>,
        Brendan Gregg <brendan.d.gregg@...il.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Peter Ziljstra <peterz@...radead.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Kees Cook <keescook@...omium.org>,
        Android Kernel Team <kernel-team@...roid.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Ingo Molnar <mingo@...hat.com>,
        Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH RFC] bpf: Add support for reading user pointers

On Thu, May 2, 2019 at 1:50 PM Joel Fernandes (Google)
<joel@...lfernandes.org> wrote:
>
> The eBPF based opensnoop tool fails to read the file path string passed
> to the do_sys_open function. This is because it is a pointer to
> userspace address and causes an -EFAULT when read with
> probe_kernel_read. This is not an issue when running the tool on x86 but
> is an issue on arm64. This patch adds a new bpf function call based
> which calls the recently proposed probe_user_read function [1].
> Using this function call from opensnoop fixes the issue on arm64.
>
> [1] https://lore.kernel.org/patchwork/patch/1051588/
...
> +BPF_CALL_3(bpf_probe_read_user, void *, dst, u32, size, const void *, unsafe_ptr)
> +{
> +       int ret;
> +
> +       ret = probe_user_read(dst, unsafe_ptr, size);
> +       if (unlikely(ret < 0))
> +               memset(dst, 0, size);
> +
> +       return ret;
> +}

probe_user_read() doesn't exist in bpf-next
therefore this patch has to wait for the next merge window.
At the same time we would need to introduce
bpf_probe_read_kernel() and introduce a load time warning
for existing bpf_probe_read(), so we can deprecate it eventually.

Powered by blists - more mailing lists